A few weeks ago I told the story of Mary, one of my customers whose Hotmail account was hijacked by the Internet bad guys.
The bad guys were using her account to send scam emails to her friends and relatives, trying to steal as much cash as they could. One relative actually sent the crooks $2,500, thinking he was helping Mary and her family in a time of crisis.
How did the scammers hack into Mary’s Hotmail email account? Unfortunately, without a lot of extensive forensics work, there’s no way to tell exactly how they got in. Internet crooks have a big bag of tricks, some of which (including what the scammers were doing with Mary’s account) are listed on the FBI’s website at fbi.gov/scams-safety/e-scams. Let’s take a look at how the bad guys may have gained control of Mary’s account.
Social engineering: fake verification emails, fake login pages. Many people have reported receiving an email from “Hotmail Customer Care,” requesting that they login and “verify” their accounts. The emails look real and when victims click on the “verify” link, they are sent to a real-looking Hotmail login page. They are, in fact, fakes designed to harvest usernames and passwords; login on the fake page and the bad guys win.
Fake “Vote for me!” emails. You get a real-looking email from a friend asking that you vote for them in some online contest, like “Best Picture,” or something like that. You are asked to login to your Facebook account and vote. You click on the link, which leads to a fake-but-real-looking Facebook login page, and you dutifully type in your username and password. Because you use the same password for Facebook as you do for your email, bingo, you’re busted.
Man-in-the-middle attacks. These attacks succeed easily against people wanting to use free wifi Internet. Say you are at IHOP, McDonalds, the airport, or anywhere else that provides free wireless Internet service for your laptop computer. Beware, as bad guys using special “ARP poisoning” and “packet sniffing” software, sitting within range of the network’s wireless signal, can grab your passwords when you login to your various accounts.
Another man-in-the-middle attack uses a malicious wireless network to lure victims away from one that is legitimate. Maybe the legitimate wireless network is named “IHOP,” or “Denver International Airport.” The bad guy, using simple, portable equipment, deploys a fake wifi hotspot in the same geographical area and names it something like, “IHOP2,” or “Denver Airport Wifi,” or simply, “Free Internet.” Thinking they are connecting to a legitimate network, victims connect to the fake network and their passwords are easily harvested.
Using untrusted computers and/or forgetting to logoff. If you ever use computers that don’t belong to you, such as at an Internet café, the local library, school or work, you need to be certain that you logoff or logout of the various online accounts that you use. It is also wise to dump all cookies and the browsing history. Otherwise, the next person that uses that computer … well, that was easy!
Bad guys also like to plug inexpensive hardware keyloggers, such as the KeyDemon (found at keelog.com), into computers like these, recording everything everyone types and collecting passwords by the boatload. It’s also pretty easy to sneak into most businesses and install these devices.
Virus infections. This is probably the easiest way for Internet crooks to steal your passwords. Many viruses are designed to sniff out passwords and install keyloggers on infected computers, sending the results back across the Internet to their masters. A piece of cake.
Don’t get all uppity just because you use an Apple Mac, either, and have drunk the “Macs don’t get viruses” Kool-Aid. My customer/victim Mary was using an Apple Mac, too. Over the objections of the idiot tech support clowns at AppleCare (who Mary called, seeking some free advice), I suggested she install some antivirus software on her Mac, since we didn’t really know exactly how her Hotmail account had been hacked. The result? Four viruses were found on her Mac. How about that?
The fact that Apple sells antivirus software on their website should tell you something. If you still don’t believe me, take a look at securemac.com. Peruse that website for a few hours. Then, ask yourself, “How much do I have to lose? What am I willing to risk?”
Next week: the saga continues with, “Oh no, you’ve been hacked! Now what? Part 3.”